3. External Intrusion
In January 2007, retailer The TJX Companies reported that its customer transaction systems had been hacked. The intrusions -- which occurred between 2003 and December 2006 -- gave hackers access to 94 million customer accounts. Stolen information was found to have been used in an US$8 million gift-card scheme and in a counterfeit credit card scheme. In mid 2008, 11 people were indicted on charges related to the incident, which was the largest hacking and identity theft case the US Department of Justice has ever prosecuted.
Costs: TJX has estimated the cost of the breach at US$256 million. That includes the cost of fixing computer systems and dealing with litigation, investigations, fines and more. It also includes payments to Visa (US$41 million) and MasterCard (US$24 million) for losses they incurred. The Federal Trade Commission has mandated that the company undergo independent third-party security audits every other year for the next 20 years.
However, others expect that costs may rise to US$1 billion, which would include the costs of legal settlements and lost customers. According to an April 2008 Ponemon study, 31 percent of a company's customer base and revenue source terminates its relationship with an organization following a data breach. And in its recently released annual "Cost of a Data Breach" study, Ponemon found that breaches cost companies US$202 per compromised customer record last year, compared with US$197 in 2007. Costs associated with lost business opportunities represented the most significant component of the increase. The average cost of a data breach in 2008 was US$6.6 million, compared with US$6.3 million in 2007.
Blinders: According to a 2008 Ponemon study, data breaches by hackers rank a distant fifth in terms of security threats. Indeed, about 14 percent of documented breaches in 2008 involved hacking, according to the ITRC. That doesn't mean companies shouldn't be wary, however. In TJX's case, hackers infiltrated the system by "war driving" and hacking into the company's wireless network. TJX was using subpar encryption, and it had failed to install firewalls and data encryption on computers using the wireless network. This enabled the thieves to install software on the network to access older customer data stored on the system and intercept data streaming between handheld price-checking devices, cash registers and the store's computers.
Eye-openers: According to Muller, the WEP encryption that TJX used on its wireless network was insufficient -- weaker even than what many home users have. "If from the parking lot you can gain access to the database, you need a higher level of data security and data encryption," he says. TJX had also stored old account information instead of permanently deleting it, Muller says.